Cisco Systems SG50028PK9NA First Hop Security Overview

Security: IPV6 First Hop Security

First Hop Security Overview

Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 411

First Hop Security Overview

IPv6 FHS is a suite of features designed to secure link operations in an IPv6-

enabled network. It is based on the Neighbor Discovery Protocol and DHCPv6

messages.

In this feature, a Layer 2 switch (as shown in Figure 6) filters Neighbor Discover y

Protocol messages, DHCPv6 messages and user data messages according to a

number of different rules.

Figure6 First Hop Security Configuration

A separate and independent instance of IPv6 First Hop Security runs on each

VLAN on which the feature is enabled.

Abbreviations

Name Description

CPA message Certification Path Advertisement message

CPS message Certification Path Solicitation message

DAD-NS message Duplicate Address Detection Neighbor

Solicitation message

FCFS-SAVI First Come First Served - Source Address

Validation Improvement

Contents

Main Table of Contents Chapter 5: Administration: Stack Management 58 Chapter 6: Administration 98 Chapter 7: Administration: Time Settings 126 Chapter 8: Administration: Diagnostics 140 Chapter 9: Administration: Discovery 148 Chapter 10: Administration: Unidirectional Link Detection 183 Chapter 11: Port Management 194 Chapter 12: Smartport 216 Chapter 13: Port Management: PoE 248 Chapter 14: VLAN Management 256 Chapter 15: Spanning Tree 292 Page Chapter 21: Security 428 Chapter 22: Security: 802.1X Authentication 482 Chapter 23: Security: First Hop Security 515 Chapter 24: Security: SSH Client 544 Chapter 25: Security: SSH Server 556 Page Page Getting Started Starting the Web-based Configuration Utilit y Browser Restrictions Launching the Configuration Utility Logging In HTTP/HTTPS Password Expiration Logging Out Page Quick Start Device Configuration Interface Naming Conventions Differences Betwe en 500 Devices Page Window Navigation Application Header Page Management Buttons Page Page Status and Statistics System Summary Viewing Ethernet Interfaces Page Viewing Etherlike Statistics Viewing GVRP Statistics Viewing 802.1X EAP Statistics Viewing TCAM Utilization Health Managing RMON Viewing RMON Statistics Page Configuring RMON History , Viewing the RMON History Table Defining RMON Events Control Viewing the RMON Events Logs Defining RMON Alarms View Log Page Administration: System Log Setting System Log Settings Page Setting Remote Logging Settings Page Viewing Memory Logs RAM Memory Flash Memory Page Administration: File Management System Files Files and File Type s File Actions Upgrade/Backup Firmware/Language Upgrade/Backing Firmware or Language File Page Page Active Image Download/Backup Configuration/Log Configuration File Backwards Compatibility Downloading or Backing-up a Configuration or Log File Page Page Page Page Configuration Files Properties Copy/Save Configuration Auto Configuration via DHCP DHCP Server Options Auto Configuration Download Protocol (TFTP or SCP) SSH Client Authentication Parameters Auto Configuration Process Configuring DHCP Auto Configuration Web Configuration Auto By File Extension File Extension for SCP SSH Client Authentication Remote SSH Server Authentication SCP Only Page Administration: Stack Management Page Types of Units in Stack Backward Compatibility of Number of Units in Stack Unit LEDs Stack Topology Types of Stack Topology Topology Discovery Unit ID Assignment Duplicate Unit IDs Page Master Selection Process Stack Changes Connecting a New Unit Page Unit Failure in Stack Failure of Master Unit Master/Backup Switchover Slave Unit Handling Reconnecting the Original Master Unit After Failover Software Auto Synchronization in Stack Stack Unit Mode Stack Configuration Options Consistency of Stack Unit Modes in the Stack Changing the Stack Unit Mode System Mode (500 Devices) After Reboot Configuration After Reboot Stack Ports Default Stack and Network Ports Page Pairs of Ports Port Speeds Auto Selection of Port Speed Connecting Units Cables Types Page Page Default Configuration Interactions With Other Features System Modes System Mode Backwards Compatibility System Mode and Stack Management Page Page Administration Device Models Page Displaying the System Summary System Information: Software Information: TCP/UDP Services Status: PoE Power Information on Master Unit: Detail System Settings Console Settings (Autobaud Rate Support) Management Interface System Mode and Stack Management Idle Session Timeout User Accounts Defining Idle Session Timeout Time Settings System Log File Management Rebooting the Device Administration > File Management > Copy/Save Configuration Page Routing Resources Page Page Health Diagnostics Discovery - Bonjour Discovery - LLDP Discovery - CDP Ping Page Traceroute Page Page Page Page Page Page Page Page Page Administration: Time Settings System Time Options Time Time Zone and Daylight Savings Time (DST) SNTP Modes Configuring System Time Selecting Source of System Time USA European By Dates Recurring By Dates Adding a Unicast SNTP Server In Process Page Configuring the SNTP Mode Defining SNTP Authentication Time Range Absolute Time Range Recurring Time Range Page Administration: Diagnostics Testing Copper Ports Preconditions to Running the Copper Port Test Page Displaying Optical Module Status MSA-compatible SFPs Page Configuring Port and VLAN Mirroring Viewing CPU Utilization and Secure Core Technology Page Administration: Discovery Bonjour Bonjour in Layer 2 System Mode Bonjour in Layer 3 System Mode LLDP and CDP Configuring LLDP LLDP Overview LLDP Configuration Workflow Setting LLDP Properties Flooding Filtering MAC Address Editing LLDP Port Settings Page LLDP MED Network Policy LLDP Media Endpoint Discovery Setting LLDP MED Network Policy Configuring LLDP MED Port Settings . Network Policy Displaying LLDP Port Status Displaying LLDP Local Information Global Management Address MAC/PHY Details 802.3 Details 802.3 Link Aggregation 802.3 Energy Efficient Ethernet (EEE) (If device supports EEE) MED Details Location Information Network Policy Table Tag g e d Untagged Displaying LLDP Neighbors Information Port Details Basic Details Management Address Table MAC/PHY Details 802.3 Power via MDI 802.3 Details 802.3 Link Aggregation 802.3 Energy Efficient Ethernet (EEE) MED Details Page Accessing LLDP Statistics Unrecognized Discarded Errors Status Configuring CDP Setting CDP Properties CDP Configuration Workflow Flooding Filtering Bridging Page Editing CDP Interface Settings Displaying CDP Local Information Page Displaying CDP Neighbors Information Page Viewing CDP Statistics Page Page Port Management Configuring Ports Setting Port Configuration Port Settings Page Page Error Recovery Settings Link Aggregation Link Aggregation Overview Load Balancing LAG Management Default Settings and Configuration Static and Dynamic LAG Workflow Defining LAG Management Configuring LAG Settings Page Configuring LACP LACP Priority and Rules LACP With No Link Partner Setting LACP Parameter Settings UDLD PoE Configuring Green Ethernet Green Ethernet Overview Page Power Saving by Disabling Port LEDs 802.3az Energy Efficient Ethernet Feature 802.3az EEE Overview Advertise Capabilities Negotiation Link Level Discovery for 802.3az EEE Availability of 802.3az EEE Default Configuration Interactions Between Features 802.3az EEE Configuration Workflow Setting Global Green Ethernet Properties Setting Green Ethernet Properties for Ports Page Page Port Management: Unidirectional Link Detection UDLD Overview UDLD Operation UDLD States and Modes How UDLD Works UDLD Not Supported or is Disabled on a Neighbor Inconsistent UDLD Mode in Local and Neighboring Device Reactivating a Shutdown Port Usage Guidelines Dependencies On Other Features Default Settings and Configuration Before You Start Common UDLD Tasks Workflow1: To globally enable UDLD on fiber ports, perform the following steps: Configuring UDLD UDLD Global Settings UDLD Interface Settings UDLD Neighbors Page Smartport Page What is a Smartport Smartport Types Special Smartport Type s Smartport Macros Applying a Smartport Type to an Interface Macro Failure and the Reset Operation How the Smartport Feature Works Auto Smartport Enabling Auto Smartport Identifying Smartport Type Using CDP/LLDP Information to Identify Smartport Types Page Multiple Devices Attached to the Port Switch Persistent Auto Smartport Interface Error Handling Default Configuration Relationships with Other Features and Backwards Compatibility Common Smartport Tasks Workflow2: To configure an interface as a static Smartport, perform the following steps: Workflow4: To rerun a Smartport macro after it has failed, perform the following step s: Unknown Configuring Smartport Using The Web-b ased Interface Smartport Properties Smartport Type Settings Smartport Interface Settings Port Type Unknown Built-in Smartport Macros desktop no_desktop printer no_printer guest no_guest]] server no_server host no_host ip_camera no_ip_camera ip_phone no_ip_phone ip_phone_desktop no_ip_phone_desktop switch no_switch router no_router ap Port Management: PoE PoE on the Device PoE Features PoE Operation PoE Configuration Considerations Page Configuring PoE Properties Class Limit Port Limit Configuring PoE Settings PoE priority example: Page Page VLAN Management VLANs VLAN Description VLAN Roles QinQ VLAN Configuration Workflow Configuring Default VLAN Settings Creating VLANs Configuring VLAN Interface Settings Defining VLAN Membership Configuring Port to VLAN Configuring VLAN Membership GVRP Settings Defining GVRP Settings VLAN Groups MAC-based Groups Assigning MAC-based VLAN Groups Mapping VLAN Group to VLAN Per Interface Protocol-based VLANs Protocol-Based Groups Protocol-Based Groups to VLAN Mapping Voice VLAN Voice VLAN Overview Dynamic Voice VLAN Modes Voice End-Points Auto Voice VLAN, Auto Smartports, CDP, and LLDP Defaults Voice VLAN Triggers Auto Voice VLAN Voice VLAN QoS Voice VLAN Constraints Voice VLAN Workflows Workflow1: To configure Auto Voice VLAN: Workflow2: To configure the Telephony OUI Method Configuring Voice VLAN Configuring Voice VLAN Properties Enable Auto Voice VLAN Auto Voice VLAN Activation Administration > Discovery > LLDP > LLDP MED Network Policy Enable Telephony OUI Displaying Auto Voice VLAN Settings Page Configuring Telephony OUI Adding OUIs to the Telephony OUI Table Page Adding Interfaces to Voice VLAN on Basis of OUIs Access Port Multicast T V VLAN IGMP Snooping Differences Between Regular and Multicast T V VLANs Configuration Multicast TV Group to VLAN Port Multicast VLAN Membership Customer Port Multicast TV VL AN Mapping CPE VLANs to Multicast TV VLANs CPE Port Multicast VLAN Membership Spanning Tree STP Flavors Configuring STP Status and Global Settings Page Defining Spanning Tree Interface Settings Page Configuring Rapid Spanning Tree Settings Enable Root Auto Disable Page Multiple Spanning Tree Defining MSTP Properties Mapping VLANs to a MSTP Instance Defining MSTP Instance Settings Defining MSTP Interface Settings Boundary Page Managing MAC Address Tables Types of MAC Addresses Configuring Static MAC Addresses Managing Dynamic MAC Addresses Configuring Dynamic MAC Address Aging Time Querying Dynamic Addresses Defining Reserved MAC Addres ses Bridge Discard All LLC-SNAP Multicast Multicast Forwarding Typical Multicast Setup Page Multicast Address Properties Defining Multicast Properties Page Adding MAC Group Address Page Adding IP Multicast Group Addresses Configuring IGMP Snooping Page Page MLD Snooping Page Querying IGMP/MLD IP Multicast Group Defining Multicast Router Ports Defining Forward All Multicast Defining Unregistered Multicast Settings Page Page IP Configuration Layer 2 IP Addressing Layer 3 IP Addressing Loopback Interface Overview Configuring a Loopback Interface IPv4 Management and Interfaces IPv4 Interface Defining an IPv4 Interface in Layer 2 System Mode Page Administration File Management DHCP Auto Configuration Defining IPv4 Interface in Layer 3 System Mode Dynamic IP Address Static IP Address IPv4 Routes Reject Remote RIPv2 Access List VRRP ARP All Normal Age Out ARP Proxy UDP Relay/IP Helper DHCPv4 Snooping/Relay DHCPv4 Snooping DHCPv4 Relay DHCPv4 in Layer 2 and Layer 3 Transparent DHCP Relay Option 82 Interactions Between DHCPv4 Snooping, DHCP v4 Relay and Option 82 Page Page Page DHCP Snooping Binding Database DHCP Trusted Ports How the DHCP Snooping Binding Database is Built Page DHCP Snooping Along With DHCP Relay DHCP Default Configuration Configuring DHCP Work Flow DHCP Snooping/Relay Properties Backup Database Update Interval Backup Database Verify MAC Address Interface Settings DHCP Snooping Trusted Interfaces DHCP Snooping Binding Database Static DHCP Server Dependencies Between Features Default Settings and Configurations Workflow for Enabling the DHCP Server Feature DHCPv4 Server Network Pool Page Excluded Addresses Static Hosts Page DHCP Options Page Address Binding IPv6 Management and Interfaces IPv6 Static Routing IPv6 Global Configuration IPv6 Interface Page DHCPv6 Client Details IPv6 Tunnel Types of Tunnels Configuring Tunnels Auto Interface IPv4 Address Defining IPv6 Addresses IPv6 Router Configuration Router Advertisement Page IPv6 Prefixes Page IPv6 Default Router List Defining IPv6 Neighbors Information Incomplete Probe Delay Stale IPv6 Prefix List Page Viewing IPv6 Route Tables Local DHCPv6 Relay Dependencies with Other Features Global Destinations Interface Settings Domain Name DNS Settings Page Search List Host Mapping OK Negative Cache No Response Page Page Page Page Page Page Page Page Page Page Page IP Configuration: RIPv2 How Rip Operates on the Device Enabling RIP Enabling RIP Offset Configuration Passive Mode Filtering Routing Updates Advertising Default Route Entries on IP Interfaces Redistribution Feature Page Using RIP in Network with Non-Rip Devices RIP Authentication RIP Statistical Counters RIP Peers Database Configuring RIP RIPv2 Properties Page RIPv2 Settings on an IP Interface Displaying RIPv2 Statistic Counters Displaying the RIPv2 Peers Database Access Lists Creating an Access List Populate an Access List Page IP Configuration: VRRP Constraints VRRP Topology Page Page Configurable Elements of VRRP Virtual Router Identification VRRP Versions Virtual Router IP Addresses Source IP Address In a VRRP Router VRRP Router Priority and Preemption VRRP Advertisements Configuring VRRP Virtual Routers Page VRRP Statistics Page Security Defining Users Setting User Accounts Page Setting Password Complexity Rules Configuring TACACS+ Accounting Using a TACACS+ Server Defaults Interactions With Other Features Workflow Configuring a TACACS+ Server Page Page Configuring RADIUS Accounting Using a RADIUS Server Defaults Interactions With Other Features Radius Workflow Page Page Key Manag ement Key Management Creating a Key Chain Page Creating a Key Settings Management Access Method Active Access Profile Page Network Mask Prefix Length Defining Profile Rules Page Management Access Authentication Secure Sensitive Data Management SSL Server SSL Overview Default Settings and Configuration SSL Server Authentication Settings Page SSH Server SSH Client Configuring TCP/UDP Services Page Defining Storm Control Configuring Port Security Page 802.1X Denial of Service Prevention Secure Core Technology (SCT ) Types of DoS Attacks Defense Against DoS Attacks Dependencies Between Features Default Configuration Configuring DoS Prevention Security Suite Settings Page SYN Protection Martian Addresses From Reserved List New IP Address Prefix Length SYN Filtering SYN Rate Protection ICMP Filtering IP Fragmented Filtering DHCP Snooping IP Source Guard Interactions with Other Features Filtering Configuring IP Source Guard Work Flow Enabling IP Source Guard Configuring IP Source Guard on Interfaces Binding Database ARP Inspection ARP Cache Poisoning How ARP Prevents Cache Poisoning Page Interaction Between ARP Inspection and DHCP Snooping ARP Defaults ARP Inspection Work Flow Defining ARP Inspection Properties Defining Dynamic ARP Inspection Interfaces S ettings Defining ARP Inspection Access Control Defining ARP Inspection Access C ontrol Rules Defining ARP Inspection VLAN Settings First Hop Security Page Security: 802.1X Authentication Overview of 802.1X Client or Supplicant Authenticator Authentication Server Authenticator Overview Port Administrative Authentication States Port Host Modes Page Multiple Authentication Methods 802.1x-Based Authentication MAC-Based Authentication WEB-Based Authentication Page Unauthenticated VLANs and the Guest VLAN Host Modes with Guest VLAN RADIUS VLAN Assignment or Dynamic VLAN A ssignment Page Violation Mode Quiet Period Workflow 1: To enable 802.1x authentication on a port: Workflow 2: To configure traps Workflow 3: To configure 802.1x-based or Web-based authentication Workflow 4: To configure the quiet period Workflow 5: To configure the guest VLAN: Workflow 6: To configure unauthenticated VLANs 802.1X Configuration Through the GUI Defining 802.1X Properties Defining 802.1X Port Authentication Page Page Defining Host and Session Authentication Page Viewing Authenticated Hosts Locked Clients Web Authentication Customization Page Page Page Defining Time Ranges Authentication Method and Port Mode Support Legend: Security: 802.1X Authentication Mode Behavior Single- host Multi- host Lite multi- sessions Security: 802.1X Authentication Full multi- sessions Page Security: IPV6 First Hop Security First Hop Security Overview Abbreviations IPv6 First Hop Security Components IPv6 First Hop Security Pipe Page IPv6 First Hop Security Perimeter Router Advertisement Guard Filtering of Received RA, CPA, and IPCMv6 redirect Messages Validation of RA messages Neighbor Discovery Inspe ction Message Validation DHCPv6 Guard Neighbor Binding Integrity Learning Advertised IPv6 Prefixes Neighbor Binding Table Overflow Establishing Binding of Neighbors NBI-NDP method NB Integrity Policy Attack Protection Protection against IPv6 Router Spoofing Protection against IPv6 Address Resolution Sp oofing Protection against IPv6 Duplication Address Detection Spoofing Protection against DHCPv6 Server Spoofing Protection Against NBD Cache Spoofing Policies, Global Parameters and System Defaults Policies Default Policies User-Defined Policies Levels of Verification Rules First Hop Security Common Work Flow Router Advertisement Guard Work Flow DHCPv6 Guard Work Flow Neighbor Discovery Inspection Work Flow Neighbor Binding Work Flow Default Settings and Configuration Before You Start Configuring First Hop Security through Web GUI FHS Common Settings RA Guard Settings Page DHCPv6 Guard Settings Neighbor Discovery Inspection S ettings Page Neighbor Binding Settings Policy Attachment (VLAN) Policy Attachment (Port) Neighbor Binding Table FHS Status Page FHS Statistics Page Security: SSH Client Secure Copy (SCP) and SSH Protection Methods Passwords Public/Private Keys Import Keys SSH Server Authentication SSH Client Authentication Supported Algorithms Before You Begin Workflow2: To import the public/private keys from one device to another: Workflow3: To change your password on an SSH server: SSH Client Configuration Through the GUI SSH User Authentication SSH Server Authentication Changing the User Password on the SSH Server Page Security: Secure Sensitive Data Management Introduction SSD Management SSD Rules Elements of an SSD Rule Page SSD Rules and User Authentication Default SSD Rules SSD Default Read Mode Session Override SSD Properties Passphrase Default and User-defined Passphrases Local Passphrase Configuration File Passphrase Control Configuration File Integrity Control Read Mode Configuration Files File SSD Indicator SSD Control Block Startup Configuration File Running Configuration File Backup and Mirror Configuration File Sensitive Data Zero-Touch Auto Configuration SSD Management Channels Menu CLI and Password Recovery Configuring SSD SSD Properties SSD Rules Page Page Security: SSH Server Workflow3: To import an RSA or DSA key from device A to device B, perform the following steps: SSH Server Configuration Pages SSH User Authentication Automatic Login SSH Server Authentication Page Page Access Control Access Control Lists Defining IPv6-Based ACL Creating ACLs Workflow Modifying ACLs Workflow Defining MAC-based ACLs Adding Rules to a MAC-based ACL Permit Shutdown Deny Page IPv4-based ACLs Defining an IPv4-based ACL Adding Rules (ACEs) to an IPv4-Based ACL TCP IP in IP IGMP ICMP Page Any DSCP to Matc h IP Precedence to match IPv6-Based ACLs Defining an IPv6-based ACL Adding Rules (ACEs) for an IPv6-Based ACL Page Page Defining ACL Binding Page Quality of Service QoS Features and Components QoS Operation QoS Modes QoS Workflow Configuring QoS - General Setting QoS Properties Configuring QoS Queues Strict Priority WRR % of WRR Bandwidth WRR Weight Mapping CoS/802.1p to a Queue Page Mapping DSCP to Queue Page Page Page Page Configuring Bandwidth Configuring Egress Shaping per Queue VLAN Ingress Rate Limit TCP Congestion Avoidance QoS Basic Mode Workflow to Configure Basic QoS Mode Configuring Global Settings Interface QoS Settings QoS Advanced Mode Notes: Workflow to Configure Advanced QoS Mode Configuring Global Settings Configuring Out-of-Profile DSCP Mapping Defining Class Mapping IP MAC IP or MAC IP and MAC QoS Policers Page Defining Aggregate Policers Configuring a Policy Policy Class Maps Use default trust mode Always Trust Set Policy Binding Managing QoS Statistics Policer Statistics Viewing Single Policer Statistics Viewing Aggregated Policer Statistics Viewing Queues Statistics Page Unit No Page Page SNMP SNMP Versions and Workflow SNMPv1 and v2 SNMPv3 SNMP Workflow If you decide to use SNMPv1 or v2: If you decide to use SNMPv3: , . Supported MIBs Model OIDs SNMP Engine ID Page Configuring SNMP Views Creating SNMP Groups To create an SNMP group: Managing SNMP Users Page Defining SNMP Communities Page Defining Trap Settings Notification Recipients Defining SNMPv1,2 Notification Recipients Page Defining SNMPv3 Notification Recipients Page No Authentication Authentication Privacy SNMP Notification Filters